Identifying and keeping track of the role of a user within an enterprise is currently done manually, if at all. For example, the user's role can be tracked by manually entering information concerning the user into a human resources department database, or by manually configuring the user in a functional group in a user or identity management system, such as Active Directory or Lightweight Directory Access Protocol (“LDAP”).
Role identification within an enterprise is important for providing users with appropriate levels of access to computer systems and other resources. It is key that users have access to the resources they need to perform their roles in the organization, but that, at the same time, confidential data be secured against access by those who do not need it. For example, financial analysts but not secretaries should have access to confidential financial records, and managers but not interns to confidential employee reviews. Likewise, software developers should be given access to source code under development that it would be desirable to secure against access by members of the organization who are not on the development team.
Manually configuring an identity management system with user role information is burdensome to an organization, and is frequently done inconsistently or not at all. Even where manually configured systems exist, they are often not updated in a timely manner as users change roles within an organization. Thus, it is common for such systems to leave users with inappropriate levels of access to resources.
It would be desirable to address these issues.